Schneier on Security
A blog covering security and security technology.
« Biometric Passports in the UK |
| Security Trade-Offs »
April 22, 2005
Universal Automobile Surveillance
Universal automobile surveillance comes to the United Arab Emirates:
IBM will begin installing a "Smart Box" system in vehicles in the United Arab Emirates next year, potentially generating millions in traffic fines for the Gulf state. The UAE signed a $125 million contract with IBM today to provide the high-tech traffic monitoring and speed-enforcing system in which a GPS-enabled "Smart Box" would be installed in cars to provide a voice warning if the driver exceeds the local speed limit for wherever he may be driving. If the voice warning is ignored, the system would use a GSM/GPRS link to beam the car's speed, identity and location to the police so that a ticket could be issued. The system would also track and monitor any other driving violations, including "reckless behavior."
This kind of thing is also being implemented in the UK, for insurance purposes.
Posted on April 22, 2005 at 8:30 AM
• 36 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The power of instant punishment-feedback from neglecting a system warning is pretty scary. They should of named it "Judge Dredd"
You actually watched "Judge Dredd"?
Wow! This has to be one of my worst "big brother" nightmares come true. I don't know about everyone else, but I love to drive fast. Now, I don't drive recklessly, and when there is traffic I only drive a bit above the speed limit. However, on open roads, say late at night, I love to fly down the roads.
Now assuming my car is in good working condition, which it is, as I'm a car fanatic, how is there any harm in this? Why should the government be able to tell me that I can't speed when there is no harm in doing so? I don't want to start an argument about whether or not it is safe to speed. I'm just saying speeding when done responsibly and not recklessly is not in itself a necessarily a dangerous of bad thing.
Moreover, I just don't want the government telling me what I can and can't do on the freedom of the open road.
What happens if you decide to take your vehicle to a track day? I assume there's no way to disable the system or people would be doing it all the time.
"You actually watched "Judge Dredd"?"
As many movies out there the movie you may be referring to was based from a comic book that existed long before the movie.
I'd also like to take this moment to correct my usage of "should of" where it should be "should have".
Lastly, it appears that the police is nothing more than a middle-man in this "Smart Box" model. Why not also have the "Smart Box" system print out a ticket once the user exceeds local traffic laws? Perhaps even have it drive itself to the local impound lot.
I would hope that the track (and other places, like private property in the US, where speed limits do not apply) would be exempt. Even with a +/- 50' resolution, you can distinguish the access road from the track.
I wonder what the penalty would be for having strategically placed bits of tin foil on my car, including one over the GPS antenna?
Actually, the answer is that it isn't safe. That "empty road in the middle of the night" might have someone else on/crossing it. If it's rural wildlife may pop out from the side of the road. I've heard of people dying when they tried to cross an "empty freeway" in the middle of the night, so I would argue that it is NEVER safe to speed too much on an open road in the middle of the night.
I've driven on local roads (minor streets up to freeways) at pretty much every time of day and night. Including rural roads and urban ones... I have never yet found a completely deserted road. Even in the "middle of nowhere" I've not been the only person around.
Save it for the track, you can go as fast as you like there, and it will be a lot safer.
Here's a classic about the people watching the people, who are watching the people. A real technology circus. For educational purposes only.
Speed Camera Maker Caught Speeding in School Zone
UK tabloid catches top speed camera executive blasting through school zones in his convertible.
Speed Check Christopher Booy, executive director of Speed Check Services, which manufactures the SPECS digital speed camera system, was caught speeding in a school zone four times within three days. A British tabloid hired an investigator to trail Booy.
Keep adding layers of complexity and plenty of databases. When the databases get cracked, add some more complexity and upgrade security, then add cameras for more complexity. Then you find people working with a system that can only work if people figure out shortcuts , because the system is far too complex for the average system user. So then you add more cameras, satellite data links and the system is producing more data and the computer is left to decide what camera data should be put in what part of what database. The computer doesn't know a particular database was cracked. Then the computer crashes, is hacked or compromised and you have an information blackout. Security takes time and thought and some people are in a hurry or thoughtless. Many people are both. Computers are not any more secure than than people using them. Sometimes the computers can make the people less secure, with a false sense of security. Cameras are good for capturing a crime, but people are better at preventing crime. Cameras are limited, but the sales pitches are unlimited.
Robbing banks isn't real smart. Not because of cameras, but because there are detectives (human) who are going to find you based on the evidence you leave behind. You can wear a mask, so the camera is fooled. It looks good up there. There is another trail of evidence that you can't mask. It could be something smaller than the eye can see, but it will be there and point you out. I wouldn't replace real security with cameras and expect good results. I like cameras, but I think they are limited as far as preventing or investigating crime is concerned. Computers present different limitations. Some people view computer technology as unlimited. This manifested itself in the FBI Virtual Case File system. The FBI found that replacing paper with technology was too costly and the whole system failed on delivery and they still rely on paper. People rob banks for paper and then find the paper is numbered and can be traced. Paper and numbers are here to stay. Unmasking fraud is fairly easy, if you have the right data. It can be done without cameras or computers, if you have people that know what they are doing. Don't speed or rob banks, it isn't worth the time or aggravation. Haste makes waste.
I'll take a million in cash over a million dollar computer system any day. That's security, that's life. Smile!
Well, if this ever does happen in the US I may have to seriously consider moving to Germany where it is legal to speed. Autobahn here I come.
Virtual Case File system, the $170 million centerpiece of Trilogy's third phase.
CALLING ALL CARS
Hey there all you middlemen, custom-coders and proprietary encryption promoters.
Case of the defunct file system
"Analysts at Aerospace, an independent contractor that FBI officials hired to assess the system, have recommended that the FBI stop funding the project, a Justice Department official said. Virtual Case File "turned out to be a bit of a pig, because it's custom-coded," said the Justice official, who also spoke on condition of anonymity."
My sources say that it was worse than illegal, it was a blunder. I guess it looked good on the computer, but it didn't look the same on paper. It was custom-coded, which means updating it requires more custom-coding I am guessing. I'll bet the sales pitch was custom-coded also. Updating the system's capabilities is virtually impossible, according to published reports. What sort of system is this? It sounds to me like the FBI got "ripped off" in plain old street lingo! SAIC built this system. Somebody stole several of their computers. I guess the FBI is investigating. This would make for a good book Bruce. Call it Book 'em. Get plenty of custom-coding, a publisher and start writing. Send me a copy.
SAN DIEGO (AP) -- Thieves stole several computers containing personal information on 45,000 current and former shareholders of defense contractor Science Applications International Corp., which began alerting those people on Thursday.
The question that comes to my mind is, are these boxes going to be tamper proof?
I can mess that box in my own way to always send "good" readings about my car.
What measures could IBM install to stop me from doing this?
Many countries in the Middle East - I'm personally aware of Saudi Arabia, Bahrain and Kuwait but believe it's common in others - have loud beepers installed in all private cars that go off when you speed. They're really loud, and illegal to disable. They're set for the maximum speed of any road in the country - usually 120kph.
This is why I was really not surprised to see the middle east being the first place to widely deploy a system like this.
If you're going to implement something this draconian, wouldn't it make more sense to have the car automatically limit your speed to the posted limit?
Another question is whether IBM gets a percentage of the ticket fees. That was the connection uncovered in the San Diego case that led a Judge to overturn all stoplight camera ticket fees (Lockheed was paid $70 for every $271 fine issued):
Reminds me of an Australian technology TV show in the 1980s. They said the police in extremely remote areas were experimenting with ways to detect traffic speeds and automatically issue fines.
This takes us back to the age-old debate about personal freedoms. Really, perhaps we've just taken the concept of personal speed and power a little too far, and it's time that the very ability to speed is regulated (as others mentioned above). Is it just me or do efficiency and safety never seem to emerge on their own if you leave it entirely up to market forces?
I think it is one thing to have a train or a plane driven by a professional and strictly regulated by the government that does 500+ Mph, but completely another to have individuals claim a right to wield a vehicle improperly and take an innocent life...
"wherever he may be driving"
According to the CIA factbook, Saudi Arabia only has 45K km (~30K miles) of paved roads and 105K km (~65K miles) unpaved. It only has 1,392 km (865 miles) of rail.
So here's an alternate proposal: Spend $125 million on expanding high-speed public transportation in high-risk areas to reduce the number of speeders and reckless drivers on the road.
This presumes, of course, that the objective is to make roads safer, not just find ways to tax drivers.
I'll second Steve L.'s comments. Out here in corn country there are roads with 8 mile long straightaways and nothing but open field visibility for miles. I also take advantage of my car's abilities on occassion. I drive within my limits and the limits of my car, but not within the speed limits. I don't speed in urban areas and if I am hustling down a backroad, I slow dramatically at the first sign of pedestrians, other vehicles, or animals. The last thing I want is some gov't organization sending me a ticket in the mail because I refuse to submit to a 30MPH speed limit on a deserted road through empty farms.
We'd be better off improving our driver education system as the Germnans have done rather than wasting money trying to monitor every action by every driver on the road. Germany is proof that a society can safely exist with no speed limits given the right conditions. In my 6 years of living and working in Germany I saw exactly two accidents on the autobahn. I see scores of them here every year. Speed doesn't kill; inept driving does.
Safty isn't the only reason for speed limits. If I remember correctly, the 55 mph highway limit of old was imposed partly for fuel conservation reason. Higher driving speed also leads to more traffic jams (since cars can reach bottlenecks on the roads more quickly).
Speed kills on bald tires. I saw a sports car with bald tires. I think they were Goodyear Bald Eagle GT's.
Everybody driving fast will reach bottlenecks on the road faster. Everybody flushing toilets at the exact same time will cause a big flood. This stuff is getting funny.
The reason that autobahns are save at speed is the same reason that racetracks are safe: they were designed for speed.
One-way traffic, no intersections, fences to keep wilflife out, regular TUV inspection of cars, the list goes on.
Probably one of the most important safety features of the autobahn is that drivers know what to expect. You know there will be people going very fast, if you don't like it take another route.
Speeding is safe in context. Unless you have the roads, cars and most importantly, awareness by drivers, autobahn speeds cannot be transplanted to other roads.
I don't care how good a driver you think you are, I don't care how good you think you are at mintaining your car.
The faster you go, the more energy you have when you hit me. If you want to go fast, do it on a racetrack where people are expecting it, and are prepared to put up with the additional risk.
Couple GPS technology with childish magical thinking and this is what you get. Anyone with experience with GPS, who pays attention, knows what happens when signal quality is low: the timing is still good, but the positioning gets sloppy. 'Speed' is positional difference over temporal difference, and nothing more. My Garmin Etrex once had me going 18 km/hr. I was walking at the time, at less than 6 km/hr in an area of one storey buildings and no overhead foliage. The signals should have been good, but the computation was clearly bad. I checked another screen for the 'accuracy' (standard deviation?) and at that moment it was hundreds of meters. It soon stepped down to a single digit.
GPS signals can get weak, and can suffer from multipathing in the 'concrete canyons' of cities. If your Smart Box thinks your car moved 20 miles in the last 5 seconds, and reports this, you are screwed. It would not matter that your car at the time was sitting in line at a drive-up ATM.
This is just a greedy scheme for extorting money, regardless of right or wrong. The innocent will be prosecuted along with the guilty.
Parking meters bring in cash. Meters that run fast bring in more cash. People are fighting back, trying to force parking meters to be periodically calibrated so they will stop cheating innocent people.
The Smart Box can be calibrated, of course, to see how it performs in an ideal situation. This will be little help when you are in bumper-to-bumper freeway traffic and you are boxed in by refrigerator trucks whose metal sides will degrade and multiply reflect L-band signals.
(Note: I don't speed myself. Speeders don't bother me, as they're in the hammer lanes and I'm in the granny lane.)
Speeding aside, I still don't want someone tracking my every move. If the US starts this bull, we may as well all get RFIDs implanted so we can be tracked and recorded every minute of the day. Kiss even the appearance of freedom goodbye.
Once the ability to drive has been removed from enough people (crazy fines they can't defend against nor afford) - the powers that be will be hit with the old supply and demand curve. Fines will be reduced and speed limits will be increased.
I like the system we have in Canada. Let's set up a speed trap in a location where we know a lot of people will be speeding (this wide open area with a nice long downward slope and silly low speed limt). Zero people have ever been hurt here and no animals killed at night - but hey - people will speed here. You are catching the wrong people - yet you do bring in the cash.
Wish upONa STAR. Its already here.
I don't want someone tracking me either, which is why I take pride in being able to jam GPS signals. The moment something like this shows up in my car, a GPS jammer will be right beside it.
Divide we are and divided we will fall, one by one to the powers that be that wnat to catch the non-crims for some extra cash. I feel almost helpless when it comes to constant focus on motorists. Just one or two miles per hour above or below the systen-imposed limit will kill - if your and they are unlucky; so will a fall on the stairs and so on.
As far as inaccuracies of GPS, it sounds like the system would warn you and give you time to slow down before ticketing, so maybe the average over a minute or two would be good enough?
How about overtaking on a two lane road? I mean in able to safely overtake a car going 50 you have to increase your speed at least temporarily to 65-70 to safely overtake that car.
any object in my possession, such as a speedbox/gps transmitter, can be hacked by me or somebody i pay to do it.
The deal is that all of these devices can be hacked. It is expensive to build stuff that can't be tampered with. The first thing any hacker is going to do is pull out a screwdriver. There’s even a Car Hacks & Mods For Dummies book available.
# Hacking the ECU (Engine Control Unit) to adjust performance-enhancing factors like fuel injection, firing the spark plugs, controlling the cooling fan, and more
# Replacing your ECU with a plug and play system such as the APEXi Power FC or the AEM EMS system
Smart hackers won't use books, they will just turn this stuff off or make it send out false information. More privacy means more security. People will find privacy and these morons trying to make a killing compromising privacy will find they lose their security. Face it, the corporate a-holes don't care about your privacy, they want to sell servers and software.
GPS, my behind. Who needs to hack those tamperproof big brother GPS boxes when it's much easier to jam the weak satellite signals? Couple of hours of soldering and assembling, top, for an amateur.
Oh, and that will also screw up GPS navigation for everyone unlucky to be close by.
The law of unintended consequences strikes again.
Police comedy, the next round: the hunt for GPS jammers. "What's that in your pocket, boy?"
Where this silliness is going to end? EMP guns?
The problem is we're often all mixed up in dealing with human nature.
What we often forget in America (probably elsewhere, too) is that laws don't eradicate crime, they simply define it. Better enforcement doesn't eradicate crime, either, it simply means more criminals are caught.
Sure, the behavior of some fraction of the population is altered by the threat of being caught. But people also make mistakes. Plenty are left to break the law intentionally or inadvertently. People are not perfect, and people do not always do the right thing.
So is the goal of big brother enforcement to achieve perfect compliance with all laws and regulations? Because the result inevitably will be nothing better than a lot of people getting in trouble.
Should we have laws? Yes, we as a society have to define a moral/ethical framework of behavior if we expect to operate properly. Should we continue to enforce laws? No question. I, at least, don't like anarchy.
But if we're going to achieve entirely new levels of enforcement for certain laws, society will soon be challenged to find better boundaries and balances between law, freedoms, risk, safety, and personal responsibility.
The reason I would speed is not that I like to go fast, but that I truly believe that I can intelligently and carefully choose a particular speed in excess of the posted limit, based on weather, road conditions, and traffic, which has a tolerable risk of harm to myself or others.
Incidentally, cruise control is not common in UK vehicles, hence by maintaining a speed of 79mph or thereabouts the driver is paying too much attention to the speedometer and not enough to the road.
Let me be the first (AFAIK) to state this thesis: If cars eventually become fully automated and obey the first law of robotics, people will begin walking across freeways regularly. This is because the cars will be made to stop automatically whenever this happens, with the only repercussions against the drivers (i.e., they will be annoyed by having their cars stop).
The way I read it, the driver won't have to take his eyes off the road. The sensor will go off if you go over the speed limit.
You know those little radar signs on the side of the road that tell you how fast you are going? They made the mistake of putting one on the road to my home. A 2 mile straightaway that goes abruptly into a tight, but sweeping "S" curve. I'm driving a 997, and these signs in FLA don't have a camera in them. Duh! So I take great delight in going by that sign at 150 mph on a fairly regular basis. Most of them are only 2 digits, so as you approach at over 100mph... they display triangles, circles and arrows....LOL. I noticed today that there is a new one on my road now that goes to three digits. I examined it and there is NO camera in it. So, I logged 155 as I went by it. I had to laugh at what that readout's reaction will be.
"There must be something wrong with th is machine". So, if they put a transponder on my car... it would get stolen a lot. Either that or I'll wrap it in lead....especially if it is in the front of the car. This is hilarious! Isn't it enough that they put transponders in humans? All this entire thing is about is .... money! A traffic ticket is nothing but a tax. Every cop shop wants your money. Simple as that.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.